Security Quest #13: Microsoft Patch Tuesday

Yesterday was patch Tuesday for December and Microsoft released seven security bulletins. There weren’t any Office updates but there were updates for all supported OS’s – Windows 2000 Professional SP4 to Windows XP SP2, and Windows Vista – along with updates for Internet Explorer 6 and IE 7. All the updates are available through Automatic Updates or the Microsoft web site. Microsoft has said that exploits for the IE vulnerabilities are already being used. Click the bulletin number to go directly to the MS bulletin. I do not mention server OS’s when saying what OS the patch is for, only desktop OS’s and app’s.

MS07-063 is for Windows Vista, including the 64-bit version, and is rated as Important. The vulnerability could allow remote code execution but it’s mitigated by the fact that SMB2 is off by default and not used when connecting to previous OS’s (like Windows XP).

MS07-064 is for DirectX 7 and 8 on Windows 2000; DirectX 9 on Windows 2000, Windows XP and Windows Vista; DirectX 10 on Windows Vista. The patch is rated Critical on all systems.

MS07-065 is for Windows 2000 Pro and Windows XP. It’s rated as Important on Windows 2000 and Moderate on Windows XP. An attacker that already has valid logon credentials could elevate their privileges.

MS07-066 is for Windows Vista, including 64-bit, and is rated as Important. The vulnerability could allow the elevation of privileges.

MS07-067 is for Windows XP and it’s rated as Important. It also allows privilege elevation.

MS07-068 is for Windows 2000, Windows XP and Windows Vista and it’s rated as Critical. The patch varies based of the version of the Windows Media Format Runtime that is installed and isn’t OS specific. The vulnerability can allow remote code execution.

MS07-069 is the always expected Internet Explorer Cumulative update and is for Internet Explorer 6 and Internet Explorer 7 on Windows 2000, Windows XP and Windows Vista. And also for Internet Explorer 5.01 on Windows 2000. It’s rated as Critical on all desktop OS’s.

I run a basic (no additional software) Windows Vista Ultimate VM and it updated without a problem. The same for a basic Windows XP SP2 VM I also run. The updates were installed through Automatic Update.

News & Links

ArsTechnica.com: Rating antivirus software: vendors to agree on standard testing guidelines – Software vendors are working to come up with a standard way of evaluating and comparing AV software.

ArsTechnica.com: SAFE Act won’t turn mom-and-pop shops into WiFi cops – There was a lot of hysteria about this bill in various articles. Mainly saying that it required free Wi-Fi providers to monitor users. Ars Technica has a more reasoned article (as they usually do).

Avast.com: Avast AntiVirus Home Edition – Free virus protection for your home PC – Avast has updated their free (or personal use) Anti-Virus software.

F-Secure.com: Data Security Summary – July to December 2007 – F-Secure has published their year-end data security summary in both written and video form.

Google Privacy: Emails, Off-the-record Chats – Continuing the privacy theme, information on GMail and Google chat.

News.Com: Free online service cuts back on catalog clutter – Reduce the snail-mail spam.

News.com: Grisoft acquires Exploit Prevention Labs – Grisoft adds web page scanning to its tools.

OpenOffice.org: OpenOffice.org 2.3.1 Released – OOo released version 2.3.1 which patches one vulnerability and includes a few other bug fixes.

Techdirt.com: Verizon’s Idea Of Security: We Block Spyware… Unless It’s From Our Partners – TechDirt says Verizon’s security service has some deficiencies.

WashingtonPost.com: Top 10 Best & Worst Anti-Phishing Web Registrars – Security Fix – Some registrars are better than others when taking down phishing sites. Plus, there’s an effort to standardize the take down process.

WinSuperSite.com: Windows Live OneCare 2.0 Review – Good review of the latest Windows OneCare version

Wired.com: AIM Hack Shows AOL Hasn’t Patched Critical Security Hole – AOL often plugs vulnerabilities in AIM by doing server-side filtering.

Yahoo.com: Google Disables Some Gmail Accounts by Mistake – Seems like Google disabled some GMail accounts for spamming or other TOS violations. It’s all better now, but some mail may have been bounded.